New Stealit Campaign Abuses Node.js Single Executable Application | FortiGuard Labs
FortiGuard Labs discovered a new Stealit RAT campaign leveraging Node.js Single Executable Application (SEA) to distribute obfuscated malware payloads disguised as game and VPN installers. The campaign uses heavily obfuscated Node.js scripts bundled into standalone executables, expanding from previous Electron-based approaches. Stealit operates as a commercial malware-as-a-service offering with subscription plans for data extraction, webcam control, ransomware deployment, and remote access capabilities.
Summary
FortiGuard Labs discovered a new Stealit RAT campaign leveraging Node.js Single Executable Application (SEA) to distribute obfuscated malware payloads disguised as game and VPN installers. The campaign uses heavily obfuscated Node.js scripts bundled into standalone executables, expanding from previous Electron-based approaches. Stealit operates as a commercial malware-as-a-service offering with subscription plans for data extraction, webcam control, ransomware deployment, and remote access capabilities.
Full text
FortiGuard Labs Threat Research New Stealit Campaign Abuses Node.js Single Executable Application Stealit RAT Adopts Node.js Single Executable Application to Evade Detection and Expand Reach By Eduardo Altares and Joie Salvio | October 10, 2025 Article Contents By Eduardo Altares and Joie Salvio | October 10, 2025 Affected Platforms: Microsoft Windows Impacted Users: Any organization Impact: Compromised machines are under the control of the threat actor and stolen information can be used for future attacks Severity Level: Medium FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js’ Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence. Earlier Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution. This new campaign has adopted Node.js' native Single Executable Application, which similarly bundles scripts and their assets into standalone binaries. Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies. 2025 Global Threat Landscape Report Use this report to understand the latest attacker tactics, assess your exposure, and prioritize action before the next exploit hits your environment. Download Now Based on the observed filenames, this malware is still being distributed as disguised installers for games and VPN applications, as was the case in previous campaigns. Recent samples we observed are bundled in PyInstaller and common compressed archives and uploaded to file-sharing sites such as Mediafire and Discord. This blog provides a detailed technical analysis of this new Stealit campaign. The Stealit Website Along with the updated malware binary, Stealit has relocated its panel website to new domains. When we first observed this campaign, the panel—also functioning as the Command-and-Control (C2) server—was hosted at stealituptaded[.]lol. However, that domain quickly became inaccessible as the C2 server was moved to iloveanimals[.]shop. Accessing the panel leads to a commercial website for Stealit, which promotes itself as offering "professional data extraction solutions" through various subscription plans. A dedicated features page outlines its capabilities, highlighting typical remote access trojan (RAT) functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Microsoft Windows systems. The site also features instructional videos that demonstrate how the service operates on each platform. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy.img.jpeg/1759882190913/fig01-stealit-campaign.jpeg" alt="Figure 1: Stealit homepage" class="custom"/> Figure 1: Stealit homepage The website offers payment plans for the Windows and Android versions of the stealer, with lifetime subscriptions available for approximately $ 500 and $ 2,000, respectively. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_196272120.img.jpeg/1759882204242/fig02-stealit-campaign.jpeg" alt="Figure 2: Stealit subscription pricing" class="custom"/> Figure 2: Stealit subscription pricing The service also has a Telegram channel named StealitPublic, where they post updates and promotions to possible clients. The main contact person is a Telegram user with the handle @deceptacle. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_2068164273.img.jpeg/1759882218449/fig03-stealit-campaign.jpeg" alt="Figure 3: A promotional post on StealIt’s Telegram channel" class="custom"/> Figure 3: A promotional post on StealIt’s Telegram channel Technical Analysis This Stealit’s campaign begins with the installer component that downloads additional components from its C2 server. All of Node.js’s scripts bundled in the executables are heavily obfuscated to complicate analysis. The installer component involves several layers before the actual main installer script is executed. Installer - First layer As mentioned earlier, this malware campaign distributes the malicious Node.js scripts using the SEA feature. Node.js SEA is currently an experimental feature that is being actively developed, with the primary purpose of distributing and running Node.js applications as a single executable binary on systems that do not have Node.js installed. As a tradeoff, since all the required application code, dependencies, and assets need to be built into a single executable file, a simple hello world Node.js SEA for Windows could be 85MB in size. The malicious installer script to be executed by Node.js is stored as a raw data resource (RCDATA) named NODE_SEA_BLOB. In addition to the main script, that resource data also contains the original path of the script before packaging. In the samples we encountered, this path includes a directory named StealIt, strongly suggesting that it belongs to the stealer malware service of the same name. Moreover, the path also includes angablue, which indicates that it was built using AngaBlue — an open-source project that aims to automate the building of Node.js SEA executables. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_678521395.img.jpeg/1759882233557/fig04-stealit-campaign.jpeg" alt="Figure 4: NODE_SEA_BLOB resource data" class="custom"/> Figure 4: NODE_SEA_BLOB resource data The extracted 1.3MB installer script is heavily obfuscated to complicate analysis. In brief, it contains a large blob (~1.2MB) that is later decoded and executed for the second layer. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_797644695.img.jpeg/1759882245203/fig05-stealit-campaign.jpeg" alt="Figure 5: Second-layer script as an array of encoded strings" class="custom"/> Figure 5: Second-layer script as an array of encoded strings At the end of the script, this blob is decoded and executed directly in memory using Node.js’ require function, which is commonly used to import modules. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_381988218.img.jpeg/1759882259644/fig06-stealit-campaign.jpeg" alt="Figure 6: Code snippet for the decoding and execution of the second layer" class="custom"/> Figure 6: Code snippet for the decoding and execution of the second layer Installer - Second Layer Essentially, the second layer is a function object with another large script taken as the second argument. This time, the script is not encoded but is still heavily obfuscated. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid/table_content/par/image_copy_1169684075.img.jpeg/1759882275732/fig06a-stealit-campaign.jpeg" alt="second layer" class="custom"/> The script in the argument, which serves as the third layer, is also executed in memory, following the same method as the second layer. Installer - Third Layer This stage performs all the functions to install the main components of the malware in the system. Here is a manually commented code snippet of the third stage, which executes a previously downloaded and decoded component. <img src="/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application/_jcr_content/root/responsivegrid
Indicators of Compromise
- domain — stealituptaded.lol
- domain — iloveanimals.shop
- malware — Stealit RAT
- email — @deceptacle